> ## Documentation Index > Fetch the complete documentation index at: https://docs.plerion.com/llms.txt > Use this file to discover all available pages before exploring further. # External access > Review the resource access grants that reach principals outside your AWS organization With **external access**, you can narrow the [resource access grants](/guides/platform/resource-access-grants/overview) inventory to the grants that matter most for third-party risk: those that allow a principal outside your AWS organization to reach your accounts and resources. **External access** is access to your AWS accounts or resources by a principal outside your AWS organization. This is what AWS Access Analyzer and compliance frameworks call third-party access. The term *external* matches AWS Access Analyzer and is more precise than *cross-account*, which only means one account to another regardless of whether it leaves your organization. *** ## Why external access matters Access that stays inside your organization is governed by your own controls. Access that leaves it is held by someone else: a vendor, a partner, a federated identity, or in the worst case the public internet. You often cannot see how that access is used or revoke it on your own. Many compliance frameworks require you to inventory and review third-party access for exactly this reason. *** ## Identifying external access A grant is external when its **Origin** is `External`. Plerion gives you several ways to isolate these grants: * **The External access tile**: The **Resource access grants** view counts external grants in the **External access** tile, and untrusted ones in the **Untrusted external access** tile. * **Preset views**: Use the **External**, **Untrusted external**, **Cross-org**, or **Public** chips above the table to jump straight to a slice of external access. * **The Origin filter**: Set the **Origin** filter to `External` to show every external grant, then refine by **Scope**, **Trust**, or **Principal type**. External grants carry one of these scopes: `Cross-org` (a specific outside account), `Federated` (an external identity provider), or `Public` (open to everyone through a wildcard principal). You can also open the **External access** card on the **Entitlements > AWS** overview, which opens a panel pre-filtered to external grants only. External access card on the Entitlements AWS overview opening a panel of external grants *** ## From external to untrusted Not all external access is a problem. A vendor integration or a CI/CD identity may be exactly what you intended. Plerion separates the access you have confirmed from the access you have not: * **Trusted**: The principal matches an entry on your trusted principals list. * **Untrusted**: An external principal that is not on your trusted principals list. Untrusted external access is the access most likely to need attention, so Plerion raises a finding for it. To work through your external access: 1. Review the **Untrusted external** preset in the inventory. 2. Add the principals you recognize to your [trusted principals](/guides/platform/resource-access-grants/trusted-principals). 3. Investigate and remediate what remains as [untrusted external access findings](/guides/platform/resource-access-grants/findings). *** ## Related pages * [Resource access grants](/guides/platform/resource-access-grants/overview): The full inventory and how grants are classified. * [Trusted principals](/guides/platform/resource-access-grants/trusted-principals): Confirm expected external principals. * [Untrusted external access findings](/guides/platform/resource-access-grants/findings): Prioritize and resolve unconfirmed external access.